Unable to upload a SAML IDP Trust Certificate

By: Ben Cory user 25 Sep 2017 at 5:16 a.m. CDT

3 Responses
Ben Cory gravatar
I am trying to configure an external IDP for inbound SAML. Following [the SAML guide](https://gluu.org/docs/ce/admin-guide/saml/ ) I have tried uploading the certificate as CRT and PEM without success. This is a self signed windows certificate so I have used openssl to convert to crt etc. I have tried exporting on windows as der and base64 with conversion commands such as: C:\OpenSSL-Win32\bin\openssl x509 -inform DER -in C:\Work\SSO\certs\certDER.cer -out certificate.crt C:\OpenSSL-Win32\bin\openssl x509 -inform DER -in C:\Work\SSO\certs\certDER.cer -out certificate.pem C:\OpenSSL-Win32\bin\openssl x509 -inform PEM -in C:\Work\SSO\certs\certbase64.cer -out certificate.crt C:\OpenSSL-Win32\bin\openssl x509 -inform PEM -in C:\Work\SSO\certs\certbase64.cer -out certificate.pem I have also tried as P7b first converting to pem then crt using commands such as: C:\OpenSSL-Win32\bin\openssl pkcs7 -inform der -in certPK7.p7b -out certPK7.pem C:\OpenSSL-Win32\bin\openssl pkcs7 -print_certs -in certPK7.pem -out certPK7.crt All attempts to import the pem or crt certificate files result in the UI reporting: Certificate Uploaded Add certificate ERROR: The identity oxtrust log reports the exception as: 2017-09-25 10:00:36,259 WARN [qtp985655350-17] [org.gluu.oxtrust.service.asimba.AsimbaXMLConfigurationService] (AsimbaXMLConfigurationService.java:147) - Certificate parsing exception java.lang.ClassCastException: **org.bouncycastle.cert.X509CertificateHolder cannot be cast to java.security.cert.X509Certificate ** at org.gluu.oxtrust.ldap.service.SSLService.getPEMCertificateStatic(SSLService.java:128) ~[classes/:?] at org.gluu.oxtrust.ldap.service.SSLService.getPEMCertificate(SSLService.java:101) ~[classes/:?] at org.gluu.oxtrust.service.asimba.AsimbaXMLConfigurationService.addCertificateFile(AsimbaXMLConfigurationService.java:141) [classes/:?] at org.gluu.oxtrust.service.asimba.AsimbaXMLConfigurationService.addCertificateFile(AsimbaXMLConfigurationService.java:125) [classes/:?] at org.gluu.oxtrust.service.asimba.AsimbaXMLConfigurationService$Proxy$_$$_WeldClientProxy.addCertificateFile(Unknown Source) [classes/:?] at org.gluu.oxtrust.action.UpdateAsimbaIDPAction.uploadCertificateFile(UpdateAsimbaIDPAction.java:248) [classes/:?] at org.gluu.oxtrust.action.UpdateAsimbaIDPAction$Proxy$_$$_WeldSubclass.uploadCertificateFile$$super(Unknown Source) [classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_112] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_112] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112] at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:51) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:78) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.xdi.service.security.SecurityInterceptor.invoke(SecurityInterceptor.java:55) [oxcore-service-3.1.0.Final.jar:?] at sun.reflect.GeneratedMethodAccessor268.invoke(Unknown Source) ~[?:?] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112] at org.jboss.weld.interceptor.reader.SimpleInterceptorInvocation$SimpleMethodInvocation.invoke(SimpleInterceptorInvocation.java:73) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.executeAroundInvoke(InterceptorMethodHandler.java:85) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.executeInterception(InterceptorMethodHandler.java:73) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.interceptor.proxy.InterceptorMethodHandler.invoke(InterceptorMethodHandler.java:57) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecoratorStackMethodHandler.invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:79) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.bean.proxy.CombinedInterceptorAndDecoratorStackMethodHandler.invoke(CombinedInterceptorAndDecoratorStackMethodHandler.java:68) [weld-core-impl-3.0.0.Final.jar:3.0.0.Final] at org.gluu.oxtrust.action.UpdateAsimbaIDPAction$Proxy$_$$_WeldSubclass.uploadCertificateFile(Unknown Source) [classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_112] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_112] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_112] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_112] at org.apache.el.parser.AstValue.invoke(AstValue.java:247) [org.mortbay.jasper.apache-el-8.0.33.jar:8.0.33] at org.apache.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:267) [org.mortbay.jasper.apache-el-8.0.33.jar:8.0.33] at org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) [weld-web-3.0.0.Final.jar:3.0.0.Final] at org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) [weld-web-3.0.0.Final.jar:3.0.0.Final] at com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:105) [jsf-impl-2.2.14.jar:2.2.14] at org.richfaces.event.MethodExpressionEventListener.processEvent(MethodExpressionEventListener.java:125) [richfaces-a4j-4.5.17.Final.jar:4.5.17.Final] at org.richfaces.view.facelets.FileUploadHandler$FileUploadListenerImpl.processFileUpload(FileUploadHandler.java:55) [richfaces-4.5.17.Final.jar:4.5.17.Final] at org.richfaces.event.FileUploadEvent.processListener(FileUploadEvent.java:48) [richfaces-4.5.17.Final.jar:4.5.17.Final] at javax.faces.component.UIComponentBase.broadcast(UIComponentBase.java:814) [jsf-api-2.2.14.jar:2.2] at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:755) [jsf-api-2.2.14.jar:2.2] at javax.faces.component.UIViewRoot.processDecodes(UIViewRoot.java:931) [jsf-api-2.2.14.jar:2.2] at com.sun.faces.lifecycle.ApplyRequestValuesPhase.execute(ApplyRequestValuesPhase.java:78) [jsf-impl-2.2.14.jar:2.2.14] at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101) [jsf-impl-2.2.14.jar:2.2.14] at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198) [jsf-impl-2.2.14.jar:2.2.14] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:658) [jsf-api-2.2.14.jar:2.2] at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:837) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1772) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:226) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:566) [jetty-security-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:199) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:74) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.ocpsoft.rewrite.servlet.impl.HttpRewriteResultHandler.handleResult(HttpRewriteResultHandler.java:42) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.ocpsoft.rewrite.servlet.RewriteFilter.rewrite(RewriteFilter.java:297) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.ocpsoft.rewrite.servlet.RewriteFilter.doFilter(RewriteFilter.java:198) [rewrite-servlet-3.4.1.Final.jar:3.4.1.Final] at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:582) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:512) [jetty-servlet-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.Server.handle(Server.java:534) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:320) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) [jetty-server-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [jetty-io-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) [jetty-util-9.3.15.v20161220.jar:9.3.15.v20161220] at java.lang.Thread.run(Thread.java:745) [?:1.8.0_112]. I have also tried uploading \etc\certs\shibIDP.crt from the gluu server and receive the same exception. Is this an issue with the latest Gluu or is there something else I need to configure ? Any help would be greatly appreciated.
CentOS 7.3
closed

Answers

By Aliaksandr Samuseu staff 25 Sep 2017 at 5:45 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Ben. Certificate needs to be in PEM format. Please share the certificate you're trying to upload.

By Ben Cory user 25 Sep 2017 at 5:55 a.m. CDT

Copy
Ben Cory gravatar
Please find the certificate on the url below
Video or screenshot link

By Aliaksandr Samuseu staff 19 Oct 2017 at 11:50 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Ben. I created [github report](https://github.com/GluuFederation/oxTrust/issues/755) for this issue, thank you for reporting it. Please use next steps to add the certificate to Asimba's jks store for now: 1. Get store's password: `# grep -i -e pass /install/community-edition-setup/setup.properties.last | grep -i asimbajks` 2. Import the certificate: `# /opt/jre/bin/keytool -import -alias %ENTITYID_OF_IDP% -file ~/cert.crt -keystore /etc/certs/asimbaIDP.jks -storepass %JSKPASS%` ..where `%ENTITYID_OF_IDP%` is exact entityid from this IDP's metadata.

Post an answer